Thursday, December 31, 2015

3 files named "Confidential Letter" has been shared with you and will be
available in Google Drive, you can access them anytime below
Drive_Statement <hxxp://xxxxxxx.in/u.php>
Google Drive: create, share, and keep all your stuff in one place.
<https://drive.google.com/>

1) Leads to a typical fake Google Drive login: (Not .IN (India) URL)

2) Again this is NOT how Google does logins - they do not use other email services to authenticate:

3) New wrinkle, fake animation for "opening" the drive

(Leads to a PDF with a financial document report - probably nothing you'd be interested in.)

Wednesday, December 9, 2015

This month we had a report of a customer who contacted the legitimate tech support number listed on the bill for a major Internet service provider. In the course of that call, the support analyst determined that his options for helping the customer had been exhausted and transferred the customer to another support line.

The secondary support (Technicalsupport4u in India) took remote control of the victim's computer, asked for a credit card number and ended up charging $399 (from a bank in Paris) to that credit card. Frighteningly, that "support analyst" called to follow up the next day; although the problems were still not solved, that follow-up call adds to the seeming legitimacy of the scam. When the victim contacted the ISP, they said that they would never do such a thing or charge that much to a credit card. The victim ended up having to cancel that credit card and change bank routing numbers, which is a huge hassle.

We followed up with the security team at the ISP, as it is alarming that while most telephone scams begin with the scammers contacting the victim, in this case the victim contacted a legitimate, trusted service and ended up connected to the scammers. They acknowledged that while their tech support has a list of vetted contacts for other support teams, sometimes the support analyst just Googles for support numbers instead of using the list, and transfers the customer in order to be helpful. They said they would investigate.

Important take away: Constant vigilance! Even if the starting point is trusted, beware transfers to other locations.

Monday, December 7, 2015

Seven Steps for Making Identity Protection Part of Your Routine

IRS Security Awareness Tax Tip Number 3, December 7, 2015

The theft of your identity, especially personal information such as your name, Social Security number, address and children’s names, can be traumatic and frustrating. In this online era, it’s important to always be on guard. ...

Monday, November 9, 2015

Most phishing appears to be aimed at stealing email credentials to use for spamming, but occasionally the phishers have a more sophisticated strategy, namely using a stolen account for malicious financial purposes.

Some phishers are looking to hijack accounts they can use to extract payments from University departments - using the account to send requests, sometimes quite insistent, to request fund transfers.

Phisher adds filters to hide messages in folders without landing in victim's inbox.

Once the phisher is ready, they use the account to send invoices or other messages to relevant contacts in the victim's mail, requesting money be directed to a bank account they control. Filters divert responses into a folder (or to another email account) so the victim does not see the exchange.

The good news is, we have yet to see this scenario succeed. So far in all cases reported, the requests have been resisted and no money has been reported lost.

Best practices:

Be sure your department has established procedures for all financial transactions, and stick to them.

Treat unusual, hurried and insistent requests with suspicion. "Is this the way Professor Smith normally acts?"

Use other means of communication than email to confirm unusual requests. Make a phone call, or ask in a face-to-face conversation.

Thursday, October 15, 2015

Thank you for your application. At Houston Methodist, we are proud of the talented, knowledgeable and dedicated employees who have helped build our tradition of excellence in health care. Complete the application form attached. Job description and requirements for the position can be viewed on our website or from Google drive.

hxxps://drive.google.com/open?id=xxxxxxxxxxxxxxxxxx

Regards.Xxxxxxx Xxxxxxxx423-###-###Houston Methodist

BE AWARE!This email links to an innocuous looking Google Drive (below), with an application form and "application requirements" file. The requirements file is actually a poisoned .scr file that, on a windows system could install trojan software.Anyone who opened the Application file should contact their tech support for assistance in determining whether they have been compromised.

Very good, attached please find the last sets of paper work Uploaded using
Google drive <hxxp://xxxxxxxxxxx.in/dss/Hot/page/auth/view/document> in
your final review, and don't forget to follow the instruction, to make a
review.

Hello,We assessed the 2015 salary structure as provided for under the terms ofemployment and discovered thatyou are due for a salary raise starting August 2015Your salary raise documents are enclosed below:

Monday, August 3, 2015

I just shared a document with you using the new Google App. To open this
document, go to hxxp://drive.google.com
<hxxp://e-tuition.net/media/platform> to view it and sign in with your
email address, as it is stored online.

Friday, July 24, 2015

> From: "State Court"
> Date: July 23, 2015 at 11:07:01 PM CDT
> To:
> Subject: Notice to Appear in Court
> Reply-To: "State Court"
>
> Notice to Appear,
>
> You have to appear in the Court on the July 31.
> You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
> Note: The case will be heard by the judge in your absence if you do not come.
>
> The Court Notice is attached to this email.
>
> Kind regards,
> Court Secretary.

Wednesday, July 8, 2015

We are seeing a coordinated set of phishing messages aimed at harvesting information from the University community. Please report any such mail you've received to phishing@umn.edu

If you have entered your login information in such a fraudulent page - change your password immediately. If you have revealed personal or financial information, please refer to https://www.identitytheft.gov/ for steps to secure your information.

It has been our pleasure to provide you with an [2]umn.edu campus login and
email account in the past. Please be advised that effective 11/07/2015 we will
be deleting accounts whose account has not been validated yet.
Re-Validate< Click Here>

Please make arrangements to move valued email messages to another email
account before the above date, as all messages will be deleted along with the
accounts at that time if you no longer need it.
Thank you for your attention.

(NOTE some of these come from outside the U, but once they get some accounts this and the rest are sent from UMN accounts, and the forms are hosted at UMN google).

NEXT - Phished login information is used to set up a variety of forms used to steal financial information. Phished accounts are then used to send this email to UMN community members.

From : VISA/MASTER CARD

To : <undisclosed-recipients:;>

Date : Wed, 08 Jul 2015 01:12:37 -0500

Subject : Visa/Master Card Verification

============ Forwarded message ============

Dear Esteemed Customer,

Due to some suspicious activities, we advice you verify your VISA/MASTER CARD details.

Please click here < Verify > to verify your card.

For your safety this link will expire within 6 hours

? Copyright 1996-2015 Visa. All Rights Reserved.

*From:* ctl@umn.edu.RE-VALIDATE

(NOTE: ctl@umn.edu is a non-existent UMN address)

*Sent:* Wednesday, July 08, 2015 4:03 AM

*Subject:* Easy Fast And Reliable??

*Internal Revenue Service Record Shows You Are Still Yet To Validate.*

Update your *Internal Revenue* *Record* immediately today,

validation of your identity due to the new health care *Service* and much

Tuesday, June 2, 2015

I just shared a document with you using Google Drive. To open this
document, go to hxxps://drive.google.com
<hxxp://xxxxxxxxx.com.br/platform/directory> to view it and sign in
with your email address, as it is stored online.

Note: it's not an attachment, it's a document stored online.

Best Regards

Things to note:

Sent from a compromised UMN account.

Familiar fake Google-login page.

Hosted at a .br (Brazil!) web address.

Review our earlier post to see what logging into a UMN.EDU Google resource really looks like.

Thursday, May 28, 2015

This is to notify you that the University of Minnesota received a
terror threat through your email directly to the University.The (IT)
Policy Help Center STRICTLY require your email account verified and
clear you from sending terror threats at the University with the email
system of the University and for an active affiliation with cyber
technology services.

The satellite system network does not show 2015 active university data for
you at this time. You are required to provide the following
information in response to this email for activation and proper
verification and scrutiny:

Internet ID:

Password:

Your email account is scheduled to be deactivated within 24 hours "Non
Compliance "After that time, you will not be able to access your
mail box. Emails sent to your mailbox will be rejected.

This is to notify you that the University of Minnesota received a terror threat through your email directly to the University.The (IT) Policy Help Center STRICTLY require your email account verified and clear you from sending terror threats at the University with the email system of the University and for an active affiliation with cyber technology services.The satellite system network does not show 2015 active university data for you at this time. You are required to provide the following information in response to this email for activation and proper verification and scrutiny:

Internet ID:Password:

Your email account is scheduled to be deactivated within 24 hours "Non Compliance "After that time, you will not be able to access your mail box. Emails sent to your mailbox will be rejected.

Note:

This purports to be from the U, but has a non-umn.edu return address

This expects to receive USERID and Password in an email - The University will NEVER make such a request.

Wednesday, May 6, 2015

A Package is coming your way through DHL ....
Track your Business documents as assigned by your supplier To be delivered
to you, till it gets to your delivery address.
Kindly find attached tracking details and confirm if all details are
Correct for instant delivery .

Monday, May 4, 2015

The Office of IT Infrastructure has upgraded storage access to increase the
protection of data assets and system performance Click on:
Facultystaffsecured <hxxp://xxxx.ezweb123.com/>
<hxxp://xxxx.ezweb123.com/>to upgrade storage

Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.

Refer to the Security Tip (ST04-014) on Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Tuesday, April 7, 2015

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

Thursday, March 19, 2015

We've seen an uptick in a phishing spam with a bonus - a nasty attachment!

Below are some examples - other emails claim to be invoices, or package shipment details. Treat these as spam, and delete - the attachments can contain invasive programs that are intended to download malware and infect your computer.

If you've opened one of these attachments, contact your tech support ASAP for assistance. Depending on how invasive the payload is, you may need to reinstall your system!

Beware, and be aware - unexpected email like this is almost certainly fraudulent.

You have to appear in the Court on the March 24.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

You have to appear in the Court on the February 23.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

Friday, March 13, 2015

Hello,The 2014 salary structure was recently reviewed and it was discovered that you are due for a 4.18%salary raise on your next paycheck starting March 2015.Login below with your credentials to read your salary raise letter.

You are required to update your University of Minnesota account information
due to recent update in our database. Please follow the link below to
update your account information.

University of Minnesota Account Update
<hxxp://xxxxx.es/includes/db/umn/access_web.htm>

Regards,

The University of Minnesota

Things to note:

URL is NOT from "umn.edu," - it's hosted in Spain.

VERY good copy of current login page

IF a person fills it out, it redirects to myu.umn.edu and will show you what appears to be the same login page. Users will probably assume they mistyped their password and re-enter it, THEN get a successful login.